Information Security Awareness & Training Standard
Purpose
This standard outlines the responsibilities of university units in ensuring that their staff are appropriately trained to maintain compliance with regulations that protect sensitive data.
Scope
This standard applies to all 91探花 faculty, staff, student employees, and any third-party affiliates who require access to sensitive university data.
Standard
91探花 is required to protect the confidentiality, integrity, and availability of its data, and as such relies on its employees to be good data stewards and custodians. It is the responsibility of each department to ensure that their staff are appropriately trained in information security best practices for the type of data they process, store, transmit, or access. The department must select the training their staff requires based on data classification and all relevant regulations. For example, some regulations, such as HIPAA and PCI-DSS, require annual information security training to maintain compliance.
The Office of Information Technology makes available general information security training to faculty, staff, and student employees. Training can be accessed by visiting /oit/security/it-security-training.This training is very broad and intended to be a foundation on which to build more specific skills in accordance with the classification of data a unit processes, stores, transmits, or accesses. On its own, this training does not meet the requirements set out by regulations such as HIPAA and PCI-DSS, therefore it is recommended this training be taken in addition to other specific regulatory compliance coursework.
Departments requesting guidance in identifying appropriate training for their staff may contact the data owner for that sensitive data element.
FERPA: Contact the University Registrar
HIPAA: Contact the HIPAA Chief Privacy Officer
PCI-DSS: Contact the Office of the Bursar
Other sensitive data: Contact the Information Security Office
References
- NIST 800 Series Publications
- Policy 93.001 Data Classification
Governance
This standard will be reviewed and approved by the university Information Security Office as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.
Reviewers
The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups:
Information Technology: Ed Carter (Chair)
Human Resources: Michael Courtney
Faculty: Hans Kruse
Senior Associate Dean: Brian McCarthy
Finance and Administration: Julie Allison
Faculty: Shawn Ostermann
Regional Higher Education: Larry Tumblin
Research and Sponsored Programs: Susan Robb
Risk Management & Insurance: Larry Wines
History
Draft versions of this policy were circulated for review and approved August 3, 2023. This policy was re-reviewed and approved on November 2, 2023.